package org.apache.nifi.processors.standard;

import java.nio.charset.StandardCharsets;
import java.security.Security;
import java.text.Normalizer;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.annotation.behavior.EventDriven;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.SideEffectFree;
import org.apache.nifi.annotation.behavior.SupportsBatching;
import org.apache.nifi.annotation.behavior.SystemResource;
import org.apache.nifi.annotation.behavior.SystemResourceConsideration;
import org.apache.nifi.annotation.behavior.WritesAttribute;
import org.apache.nifi.annotation.behavior.WritesAttributes;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.flowfile.attributes.CoreAttributes;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.ProcessorInitializationContext;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.io.StreamCallback;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.security.util.KeyDerivationFunction;
import org.apache.nifi.security.util.crypto.CipherUtility;
import org.apache.nifi.security.util.crypto.KeyedEncryptor;
import org.apache.nifi.security.util.crypto.OpenPGPKeyBasedEncryptor;
import org.apache.nifi.security.util.crypto.OpenPGPPasswordBasedEncryptor;
import org.apache.nifi.security.util.crypto.PasswordBasedEncryptor;
import org.apache.nifi.util.StopWatch;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

@CapabilityDescription("Encrypts or Decrypts a FlowFile using either symmetric encryption with a raw key or password and randomly generated salt, or asymmetric encryption using a public and secret key.")
@SystemResourceConsideration(resource = SystemResource.CPU)
@SupportsBatching
@WritesAttributes({@WritesAttribute(attribute = EncryptContent.ACTION_ATTR, description = "\"encrypted\" or \"decrypted\" depending on the processor action"), @WritesAttribute(attribute = EncryptContent.ALGORITHM_ATTR, description = "The algorithm used for the cryptographic operation"), @WritesAttribute(attribute = EncryptContent.CT_LEN_ATTR, description = "The cipher text length in bytes (including IV, salt, and delimiters if present). Determined from incoming content in decrypt mode; outgoing content in encrypt mode"), @WritesAttribute(attribute = EncryptContent.IV_ATTR, description = "The Initialization Vector in hex encoding (if present)"), @WritesAttribute(attribute = EncryptContent.IV_LEN_ATTR, description = "The IV length in bytes"), @WritesAttribute(attribute = EncryptContent.KDF_ATTR, description = "The Key Derivation Function used if Password-Based Encryption was enabled. See Admin Guide - Key Derivation Functions"), @WritesAttribute(attribute = EncryptContent.KDF_SALT_ATTR, description = "The KDF-specific salt including algorithm and cost parameters (if present). See Admin Guide - Key Derivation Functions"), @WritesAttribute(attribute = EncryptContent.KDF_SALT_LEN_ATTR, description = "The KDF salt length in bytes"), @WritesAttribute(attribute = "encryptcontent.pbkdf2_iterations", description = "The number of iterations used in PBKDF2 KDF (if present). PBKDF2 does not encode the cost parameter in a custom salt"), @WritesAttribute(attribute = EncryptContent.PT_LEN_ATTR, description = "The plaintext length in bytes. Determined from incoming content in encrypt mode; outgoing content in decrypt mode"), @WritesAttribute(attribute = EncryptContent.SALT_ATTR, description = "The raw salt in hex encoding (if present)"), @WritesAttribute(attribute = EncryptContent.SALT_LEN_ATTR, description = "The raw salt length in bytes"), @WritesAttribute(attribute = EncryptContent.TS_ATTR, description = "The timestamp at which the cryptographic operation occurred in 'yyyy-MM-dd HH:mm:ss.SSS Z' format")})
@EventDriven
@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
@Tags({"encryption", "decryption", "password", "JCE", "OpenPGP", "PGP", "GPG", "KDF", "Argon2", "Bcrypt", "Scrypt", "PBKDF2", "salt", "iv"})
@SideEffectFree
/* loaded from: input_file:org/apache/nifi/processors/standard/EncryptContent.class */
public class EncryptContent extends AbstractProcessor {
    private static final String WEAK_CRYPTO_ALLOWED_NAME = "allowed";
    private static final String WEAK_CRYPTO_NOT_ALLOWED_NAME = "not-allowed";
    public static final String IV_ATTR = "encryptcontent.iv";
    public static final String IV_LEN_ATTR = "encryptcontent.iv_length";
    public static final String SALT_ATTR = "encryptcontent.salt";
    public static final String SALT_LEN_ATTR = "encryptcontent.salt_length";
    public static final String KDF_SALT_ATTR = "encryptcontent.kdf_salt";
    public static final String KDF_SALT_LEN_ATTR = "encryptcontent.kdf_salt_length";
    public static final String PT_LEN_ATTR = "encryptcontent.plaintext_length";
    public static final String CT_LEN_ATTR = "encryptcontent.cipher_text_length";
    public static final String TS_ATTR = "encryptcontent.timestamp";
    public static final String ACTION_ATTR = "encryptcontent.action";
    public static final String ALGORITHM_ATTR = "encryptcontent.algorithm";
    public static final String KDF_ATTR = "encryptcontent.kdf";
    private List<PropertyDescriptor> properties;
    private Set<Relationship> relationships;
    public static final String ENCRYPT_MODE = "Encrypt";
    public static final String DECRYPT_MODE = "Decrypt";
    public static final PropertyDescriptor MODE = new PropertyDescriptor.Builder().name("Mode").displayName("Mode").description("Specifies whether the content should be encrypted or decrypted").required(true).allowableValues(new String[]{ENCRYPT_MODE, DECRYPT_MODE}).defaultValue(ENCRYPT_MODE).build();
    public static final PropertyDescriptor KEY_DERIVATION_FUNCTION = new PropertyDescriptor.Builder().name("key-derivation-function").displayName("Key Derivation Function").description("Specifies the key derivation function to generate the key from the password (and salt)").required(true).allowableValues(buildKeyDerivationFunctionAllowableValues()).defaultValue(KeyDerivationFunction.NONE.name()).build();
    public static final PropertyDescriptor ENCRYPTION_ALGORITHM = new PropertyDescriptor.Builder().name("Encryption Algorithm").displayName("Encryption Algorithm").description("The Encryption Algorithm to use").required(true).allowableValues(buildEncryptionMethodAllowableValues()).defaultValue(EncryptionMethod.AES_GCM.name()).build();
    public static final PropertyDescriptor PASSWORD = new PropertyDescriptor.Builder().name("Password").displayName("Password").description("The Password to use for encrypting or decrypting the data").required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(true).build();
    public static final PropertyDescriptor PUBLIC_KEYRING = new PropertyDescriptor.Builder().name("public-keyring-file").displayName("Public Keyring File").description("In a PGP encrypt mode, this keyring contains the public key of the recipient").required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    public static final PropertyDescriptor PUBLIC_KEY_USERID = new PropertyDescriptor.Builder().name("public-key-user-id").displayName("Public Key User Id").description("In a PGP encrypt mode, this user id of the recipient").required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    public static final PropertyDescriptor PRIVATE_KEYRING = new PropertyDescriptor.Builder().name("private-keyring-file").displayName("Private Keyring File").description("In a PGP decrypt mode, this keyring contains the private key of the recipient").required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    public static final PropertyDescriptor PRIVATE_KEYRING_PASSPHRASE = new PropertyDescriptor.Builder().name("private-keyring-passphrase").displayName("Private Keyring Passphrase").description("In a PGP decrypt mode, this is the private keyring passphrase").required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).sensitive(true).build();
    public static final PropertyDescriptor PGP_SYMMETRIC_ENCRYPTION_CIPHER = new PropertyDescriptor.Builder().name("pgp-symmetric-cipher").displayName("PGP Symmetric Cipher").description("When using PGP encryption, this is the symmetric cipher to be used. This property is ignored if Encryption Algorithm is not PGP or PGP-ASCII-ARMOR\nNote that the provided cipher is only used duringthe encryption phase, while it is inferred from the ciphertext in the decryption phase").required(false).allowableValues(buildPGPSymmetricCipherAllowableValues()).defaultValue(String.valueOf(7)).build();
    public static final PropertyDescriptor RAW_KEY_HEX = new PropertyDescriptor.Builder().name("raw-key-hex").displayName("Raw Key (hexadecimal)").description("In keyed encryption, this is the raw key, encoded in hexadecimal").required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(true).build();
    public static final PropertyDescriptor ALLOW_WEAK_CRYPTO = new PropertyDescriptor.Builder().name("allow-weak-crypto").displayName("Allow insecure cryptographic modes").description("Overrides the default behavior to prevent unsafe combinations of encryption algorithms and short passwords on JVMs with limited strength cryptographic jurisdiction policies").required(true).allowableValues(buildWeakCryptoAllowableValues()).defaultValue(buildDefaultWeakCryptoAllowableValue().getValue()).build();
    public static final Relationship REL_SUCCESS = new Relationship.Builder().name("success").description("Any FlowFile that is successfully encrypted or decrypted will be routed to success").build();
    public static final Relationship REL_FAILURE = new Relationship.Builder().name("failure").description("Any FlowFile that cannot be encrypted or decrypted will be routed to failure").build();

    /* loaded from: input_file:org/apache/nifi/processors/standard/EncryptContent$Encryptor.class */
    public interface Encryptor {
        StreamCallback getEncryptionCallback() throws Exception;

        StreamCallback getDecryptionCallback() throws Exception;

        void updateAttributes(Map<String, String> map);
    }

    private static AllowableValue[] buildKeyDerivationFunctionAllowableValues() {
        KeyDerivationFunction[] values = KeyDerivationFunction.values();
        ArrayList arrayList = new ArrayList(values.length);
        for (KeyDerivationFunction keyDerivationFunction : values) {
            arrayList.add(new AllowableValue(keyDerivationFunction.name(), keyDerivationFunction.getKdfName(), keyDerivationFunction.getDescription()));
        }
        return (AllowableValue[]) arrayList.toArray(new AllowableValue[0]);
    }

    private static AllowableValue[] buildEncryptionMethodAllowableValues() {
        EncryptionMethod[] values = EncryptionMethod.values();
        ArrayList arrayList = new ArrayList(values.length);
        for (EncryptionMethod encryptionMethod : values) {
            arrayList.add(new AllowableValue(encryptionMethod.name(), encryptionMethod.name(), encryptionMethod.toString()));
        }
        return (AllowableValue[]) arrayList.toArray(new AllowableValue[0]);
    }

    private static AllowableValue[] buildWeakCryptoAllowableValues() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AllowableValue(WEAK_CRYPTO_ALLOWED_NAME, "Allowed", "Operation will not be blocked and no alerts will be presented when unsafe combinations of encryption algorithms and passwords are provided"));
        arrayList.add(buildDefaultWeakCryptoAllowableValue());
        return (AllowableValue[]) arrayList.toArray(new AllowableValue[0]);
    }

    private static AllowableValue buildDefaultWeakCryptoAllowableValue() {
        return new AllowableValue(WEAK_CRYPTO_NOT_ALLOWED_NAME, "Not Allowed", "When set, operation will be blocked and alerts will be presented to the user if unsafe combinations of encryption algorithms and passwords are provided on a JVM with limited strength crypto. To fix this, see the Admin Guide.");
    }

    private static AllowableValue[] buildPGPSymmetricCipherAllowableValues() {
        return new AllowableValue[]{new AllowableValue("1", "IDEA"), new AllowableValue("2", "TRIPLE_DES"), new AllowableValue("3", "CAST5"), new AllowableValue("4", "BLOWFISH"), new AllowableValue("6", "DES"), new AllowableValue("7", "AES_128"), new AllowableValue("8", "AES_192"), new AllowableValue("9", "AES_256"), new AllowableValue("10", "TWOFISH"), new AllowableValue("11", "CAMELLIA_128"), new AllowableValue("12", "CAMELLIA_192"), new AllowableValue("13", "CAMELLIA_256")};
    }

    protected void init(ProcessorInitializationContext processorInitializationContext) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(MODE);
        arrayList.add(KEY_DERIVATION_FUNCTION);
        arrayList.add(ENCRYPTION_ALGORITHM);
        arrayList.add(ALLOW_WEAK_CRYPTO);
        arrayList.add(PASSWORD);
        arrayList.add(RAW_KEY_HEX);
        arrayList.add(PUBLIC_KEYRING);
        arrayList.add(PUBLIC_KEY_USERID);
        arrayList.add(PRIVATE_KEYRING);
        arrayList.add(PRIVATE_KEYRING_PASSPHRASE);
        arrayList.add(PGP_SYMMETRIC_ENCRYPTION_CIPHER);
        this.properties = Collections.unmodifiableList(arrayList);
        HashSet hashSet = new HashSet();
        hashSet.add(REL_SUCCESS);
        hashSet.add(REL_FAILURE);
        this.relationships = Collections.unmodifiableSet(hashSet);
    }

    public Set<Relationship> getRelationships() {
        return this.relationships;
    }

    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return this.properties;
    }

    public static boolean isPGPAlgorithm(String str) {
        return str.startsWith("PGP");
    }

    public static boolean isPGPArmoredAlgorithm(String str) {
        return isPGPAlgorithm(str) && str.endsWith("ASCII-ARMOR");
    }

    protected Collection<ValidationResult> customValidate(ValidationContext validationContext) {
        ArrayList arrayList = new ArrayList(super.customValidate(validationContext));
        EncryptionMethod valueOf = EncryptionMethod.valueOf(validationContext.getProperty(ENCRYPTION_ALGORITHM).getValue());
        String algorithm = valueOf.getAlgorithm();
        String value = validationContext.getProperty(PASSWORD).getValue();
        KeyDerivationFunction valueOf2 = KeyDerivationFunction.valueOf(validationContext.getProperty(KEY_DERIVATION_FUNCTION).getValue());
        String value2 = validationContext.getProperty(RAW_KEY_HEX).getValue();
        boolean equalsIgnoreCase = validationContext.getProperty(MODE).getValue().equalsIgnoreCase(ENCRYPT_MODE);
        if (isPGPAlgorithm(algorithm)) {
            arrayList.addAll(validatePGP(valueOf, value, equalsIgnoreCase, validationContext.getProperty(PUBLIC_KEYRING).getValue(), validationContext.getProperty(PUBLIC_KEY_USERID).getValue(), validationContext.getProperty(PRIVATE_KEYRING).getValue(), validationContext.getProperty(PRIVATE_KEYRING_PASSPHRASE).evaluateAttributeExpressions().getValue(), validationContext.getProperty(PGP_SYMMETRIC_ENCRYPTION_CIPHER).asInteger().intValue()));
        } else {
            boolean equalsIgnoreCase2 = validationContext.getProperty(ALLOW_WEAK_CRYPTO).getValue().equalsIgnoreCase(WEAK_CRYPTO_ALLOWED_NAME);
            if (valueOf.isKeyedCipher()) {
                arrayList.addAll(validateKeyed(valueOf, valueOf2, value2, value, equalsIgnoreCase2, equalsIgnoreCase));
            } else {
                arrayList.addAll(validatePBE(valueOf, valueOf2, value, equalsIgnoreCase2));
            }
        }
        return arrayList;
    }

    private static boolean isValidCipher(int i) {
        return PGP_SYMMETRIC_ENCRYPTION_CIPHER.getAllowableValues().stream().anyMatch(allowableValue -> {
            return allowableValue.getValue().equals(String.valueOf(i));
        });
    }

    private List<ValidationResult> validatePGP(EncryptionMethod encryptionMethod, String str, boolean z, String str2, String str3, String str4, String str5, int i) {
        ArrayList arrayList = new ArrayList();
        if (z && str != null && !isValidCipher(i)) {
            arrayList.add(new ValidationResult.Builder().subject(PGP_SYMMETRIC_ENCRYPTION_CIPHER.getDisplayName()).explanation("When performing an encryption with " + encryptionMethod.getAlgorithm() + " and a symmetric " + PASSWORD.getDisplayName() + ", a" + PGP_SYMMETRIC_ENCRYPTION_CIPHER.getDisplayName() + " is required").build());
        }
        if (str == null) {
            if (z) {
                if (str2 == null || str3 == null) {
                    arrayList.add(new ValidationResult.Builder().subject(PUBLIC_KEYRING.getDisplayName()).explanation(encryptionMethod.getAlgorithm() + " encryption without a " + PASSWORD.getDisplayName() + " requires both " + PUBLIC_KEYRING.getDisplayName() + " and " + PUBLIC_KEY_USERID.getDisplayName()).build());
                } else {
                    try {
                        if (OpenPGPKeyBasedEncryptor.getPublicKey(str3, str2) == null) {
                            arrayList.add(new ValidationResult.Builder().subject(PUBLIC_KEYRING.getDisplayName()).explanation(PUBLIC_KEYRING.getDisplayName() + " " + str2 + " does not contain user id " + str3).build());
                        }
                    } catch (Exception e) {
                        arrayList.add(new ValidationResult.Builder().subject(PUBLIC_KEYRING.getDisplayName()).explanation("Invalid " + PUBLIC_KEYRING.getDisplayName() + " " + str2 + " because " + e.toString()).build());
                    }
                }
            } else if (str4 == null || str5 == null) {
                arrayList.add(new ValidationResult.Builder().subject(PRIVATE_KEYRING.getName()).explanation(encryptionMethod.getAlgorithm() + " decryption without a " + PASSWORD.getDisplayName() + " requires both " + PRIVATE_KEYRING.getDisplayName() + " and " + PRIVATE_KEYRING_PASSPHRASE.getDisplayName()).build());
            } else {
                try {
                    if (!OpenPGPKeyBasedEncryptor.validateKeyring(encryptionMethod.getProvider(), str4, str5.toCharArray())) {
                        arrayList.add(new ValidationResult.Builder().subject(PRIVATE_KEYRING.getDisplayName()).explanation(PRIVATE_KEYRING.getDisplayName() + " " + str4 + " could not be opened with the provided " + PRIVATE_KEYRING_PASSPHRASE.getDisplayName()).build());
                    }
                } catch (Exception e2) {
                    arrayList.add(new ValidationResult.Builder().subject(PRIVATE_KEYRING.getDisplayName()).explanation("Invalid " + PRIVATE_KEYRING.getDisplayName() + " " + str4 + " because " + e2.toString()).build());
                }
            }
        }
        return arrayList;
    }

    private List<ValidationResult> validatePBE(EncryptionMethod encryptionMethod, KeyDerivationFunction keyDerivationFunction, String str, boolean z) {
        List<ValidationResult> validatePassword = validatePassword(encryptionMethod, keyDerivationFunction, str, z);
        List<String> kDFsForPBECipher = getKDFsForPBECipher(encryptionMethod);
        if (keyDerivationFunction == null || !kDFsForPBECipher.contains(keyDerivationFunction.name())) {
            String displayName = KEY_DERIVATION_FUNCTION.getDisplayName();
            validatePassword.add(new ValidationResult.Builder().subject(displayName).explanation(displayName + " is required to be " + StringUtils.join(kDFsForPBECipher, ", ") + " when using algorithm " + encryptionMethod.getAlgorithm() + ". See Admin Guide.").build());
        }
        return validatePassword;
    }

    private List<ValidationResult> validatePassword(EncryptionMethod encryptionMethod, KeyDerivationFunction keyDerivationFunction, String str, boolean z) {
        int minimumSafePasswordLength;
        ArrayList arrayList = new ArrayList();
        boolean z2 = !CipherUtility.isUnlimitedStrengthCryptoSupported();
        if (StringUtils.isEmpty(str)) {
            arrayList.add(new ValidationResult.Builder().subject(PASSWORD.getName()).explanation(PASSWORD.getDisplayName() + " is required when using algorithm " + encryptionMethod.getAlgorithm() + " and KDF " + keyDerivationFunction.getKdfName()).build());
            return arrayList;
        }
        int length = str.getBytes(StandardCharsets.UTF_8).length;
        if (!z && length < (minimumSafePasswordLength = PasswordBasedEncryptor.getMinimumSafePasswordLength())) {
            arrayList.add(new ValidationResult.Builder().subject(PASSWORD.getName()).explanation("Password length less than " + minimumSafePasswordLength + " characters is potentially unsafe. See Admin Guide.").build());
        }
        if (z2) {
            if (encryptionMethod.isUnlimitedStrength()) {
                arrayList.add(new ValidationResult.Builder().subject(ENCRYPTION_ALGORITHM.getName()).explanation(encryptionMethod.name() + " (" + encryptionMethod.getAlgorithm() + ") is not supported by this JVM due to lacking JCE Unlimited Strength Jurisdiction Policy files. See Admin Guide.").build());
            }
            if (!CipherUtility.passwordLengthIsValidForAlgorithmOnLimitedStrengthCrypto(length, encryptionMethod)) {
                arrayList.add(new ValidationResult.Builder().subject(PASSWORD.getName()).explanation("Password length greater than " + CipherUtility.getMaximumPasswordLengthForAlgorithmOnLimitedStrengthCrypto(encryptionMethod) + " characters is not supported by this JVM due to lacking JCE Unlimited Strength Jurisdiction Policy files. See Admin Guide.").build());
            }
        }
        return arrayList;
    }

    private List<ValidationResult> validateKeyed(EncryptionMethod encryptionMethod, KeyDerivationFunction keyDerivationFunction, String str, String str2, boolean z, boolean z2) {
        ArrayList arrayList = new ArrayList();
        if ((!CipherUtility.isUnlimitedStrengthCryptoSupported()) && encryptionMethod.isUnlimitedStrength()) {
            arrayList.add(new ValidationResult.Builder().subject(ENCRYPTION_ALGORITHM.getName()).explanation(encryptionMethod.name() + " (" + encryptionMethod.getAlgorithm() + ") is not supported by this JVM due to lacking JCE Unlimited Strength Jurisdiction Policy files. See Admin Guide.").build());
        }
        int maxAllowedKeyLength = PasswordBasedEncryptor.getMaxAllowedKeyLength(ENCRYPTION_ALGORITHM.getName());
        if (keyDerivationFunction == KeyDerivationFunction.NONE) {
            if (StringUtils.isEmpty(str)) {
                arrayList.add(new ValidationResult.Builder().subject(RAW_KEY_HEX.getName()).explanation(RAW_KEY_HEX.getDisplayName() + " is required when using algorithm " + encryptionMethod.getAlgorithm() + " and KDF " + KeyDerivationFunction.NONE + ". See Admin Guide.").build());
            } else {
                validateKeyHex(encryptionMethod, str, arrayList, maxAllowedKeyLength);
            }
        } else if (!keyDerivationFunction.isStrongKDF()) {
            arrayList.add(new ValidationResult.Builder().subject(KEY_DERIVATION_FUNCTION.getName()).explanation(KEY_DERIVATION_FUNCTION.getDisplayName() + " is required to be " + StringUtils.join(getKDFsForKeyedCipher(), ", ") + " when using algorithm " + encryptionMethod.getAlgorithm()).build());
        } else if (StringUtils.isEmpty(str2)) {
            arrayList.add(new ValidationResult.Builder().subject(PASSWORD.getName()).explanation(PASSWORD.getDisplayName() + " is required when using algorithm " + encryptionMethod.getAlgorithm() + " and KDF " + keyDerivationFunction.getKdfName() + ". See Admin Guide.").build());
        } else {
            arrayList.addAll(validatePassword(encryptionMethod, keyDerivationFunction, str2, z));
        }
        if (z2 && EncryptionMethod.AES_CBC_NO_PADDING == encryptionMethod) {
            arrayList.add(new ValidationResult.Builder().subject(ENCRYPTION_ALGORITHM.getDisplayName()).input(encryptionMethod.name()).explanation(String.format("Encryption not supported for [%s]", encryptionMethod.getAlgorithm())).valid(false).build());
        }
        return arrayList;
    }

    private void validateKeyHex(EncryptionMethod encryptionMethod, String str, List<ValidationResult> list, int i) {
        byte[] bArr = new byte[0];
        try {
            bArr = Hex.decodeHex(str.toCharArray());
        } catch (DecoderException e) {
            list.add(new ValidationResult.Builder().subject(RAW_KEY_HEX.getName()).explanation("Key must be valid hexadecimal string. See Admin Guide.").build());
        }
        if (bArr.length * 8 > i) {
            list.add(new ValidationResult.Builder().subject(RAW_KEY_HEX.getName()).explanation("Key length greater than " + i + " bits is not supported by this JVM due to lacking JCE Unlimited Strength Jurisdiction Policy files. See Admin Guide.").build());
        }
        if (CipherUtility.isValidKeyLengthForAlgorithm(bArr.length * 8, encryptionMethod.getAlgorithm())) {
            return;
        }
        list.add(new ValidationResult.Builder().subject(RAW_KEY_HEX.getName()).explanation("Key must be valid length [" + StringUtils.join(CipherUtility.getValidKeyLengthsForAlgorithm(encryptionMethod.getAlgorithm()), ", ") + "]. See Admin Guide.").build());
    }

    private List<String> getKDFsForKeyedCipher() {
        List<String> list = (List) Arrays.stream(KeyDerivationFunction.values()).filter((v0) -> {
            return v0.isStrongKDF();
        }).map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList());
        list.add(KeyDerivationFunction.NONE.name());
        return list;
    }

    private List<String> getKDFsForPBECipher(EncryptionMethod encryptionMethod) {
        List<String> list = encryptionMethod.isCompatibleWithStrongKDFs() ? (List) Arrays.stream(KeyDerivationFunction.values()).map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList()) : (List) Arrays.stream(KeyDerivationFunction.values()).filter(keyDerivationFunction -> {
            return !keyDerivationFunction.isStrongKDF();
        }).map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList());
        list.remove(KeyDerivationFunction.NONE.name());
        return list;
    }

    public void onTrigger(ProcessContext processContext, ProcessSession processSession) {
        FlowFile flowFile = processSession.get();
        if (flowFile == null) {
            return;
        }
        ComponentLog logger = getLogger();
        EncryptionMethod valueOf = EncryptionMethod.valueOf(processContext.getProperty(ENCRYPTION_ALGORITHM).getValue());
        String provider = valueOf.getProvider();
        String algorithm = valueOf.getAlgorithm();
        Integer asInteger = processContext.getProperty(PGP_SYMMETRIC_ENCRYPTION_CIPHER).asInteger();
        String value = processContext.getProperty(PASSWORD).getValue();
        KeyDerivationFunction valueOf2 = KeyDerivationFunction.valueOf(processContext.getProperty(KEY_DERIVATION_FUNCTION).getValue());
        boolean equalsIgnoreCase = processContext.getProperty(MODE).getValue().equalsIgnoreCase(ENCRYPT_MODE);
        try {
            Encryptor createPGPEncryptor = isPGPAlgorithm(algorithm) ? createPGPEncryptor(processContext, flowFile, provider, algorithm, asInteger, value, equalsIgnoreCase) : valueOf2.equals(KeyDerivationFunction.NONE) ? createKeyedEncryptor(processContext, valueOf) : createPBEEncryptor(valueOf, value, valueOf2);
            StreamCallback encryptionCallback = equalsIgnoreCase ? createPGPEncryptor.getEncryptionCallback() : createPGPEncryptor.getDecryptionCallback();
            try {
                StopWatch stopWatch = new StopWatch(true);
                FlowFile write = processSession.write(flowFile, encryptionCallback);
                HashMap hashMap = new HashMap(write.getAttributes());
                createPGPEncryptor.updateAttributes(hashMap);
                flowFile = processSession.putAllAttributes(write, hashMap);
                Object[] objArr = new Object[2];
                objArr[0] = equalsIgnoreCase ? "en" : "de";
                objArr[1] = flowFile;
                logger.info("successfully {}crypted {}", objArr);
                processSession.getProvenanceReporter().modifyContent(flowFile, stopWatch.getElapsed(TimeUnit.MILLISECONDS));
                processSession.transfer(flowFile, REL_SUCCESS);
            } catch (ProcessException e) {
                Object[] objArr2 = new Object[3];
                objArr2[0] = equalsIgnoreCase ? "en" : "de";
                objArr2[1] = flowFile;
                objArr2[2] = e;
                logger.error("Cannot {}crypt {} - ", objArr2);
                processSession.transfer(flowFile, REL_FAILURE);
            }
        } catch (Exception e2) {
            Object[] objArr3 = new Object[2];
            objArr3[0] = equalsIgnoreCase ? "en" : "de";
            objArr3[1] = e2;
            logger.error("Failed to initialize {}cryption algorithm because - ", objArr3);
            processSession.rollback();
            processContext.yield();
        }
    }

    private Encryptor createPGPEncryptor(ProcessContext processContext, FlowFile flowFile, String str, String str2, Integer num, String str3, boolean z) {
        String attribute = flowFile.getAttribute(CoreAttributes.FILENAME.key());
        String value = processContext.getProperty(PUBLIC_KEYRING).getValue();
        String value2 = processContext.getProperty(PRIVATE_KEYRING).getValue();
        return (!z || value == null) ? (z || value2 == null) ? new OpenPGPPasswordBasedEncryptor(str2, num, str, Normalizer.normalize(str3, Normalizer.Form.NFC).toCharArray(), attribute) : new OpenPGPKeyBasedEncryptor(str2, num, str, value2, null, processContext.getProperty(PRIVATE_KEYRING_PASSPHRASE).evaluateAttributeExpressions().getValue().toCharArray(), attribute) : new OpenPGPKeyBasedEncryptor(str2, num, str, value, processContext.getProperty(PUBLIC_KEY_USERID).getValue(), null, attribute);
    }

    private Encryptor createKeyedEncryptor(ProcessContext processContext, EncryptionMethod encryptionMethod) throws DecoderException {
        return new KeyedEncryptor(encryptionMethod, Hex.decodeHex(processContext.getProperty(RAW_KEY_HEX).getValue().toCharArray()));
    }

    private Encryptor createPBEEncryptor(EncryptionMethod encryptionMethod, String str, KeyDerivationFunction keyDerivationFunction) {
        return new PasswordBasedEncryptor(encryptionMethod, Normalizer.normalize(str, Normalizer.Form.NFC).toCharArray(), keyDerivationFunction);
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
